The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Restricting htaccess heirarchy

Discussion in 'General Discussion' started by outpostmm, Oct 31, 2013.

  1. outpostmm

    outpostmm Member

    Joined:
    Dec 3, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    We have a few servers running WHM/cPanel 11.38.2 on CentOS 5.10.

    Here's the TL;DR:

    I have a .htaccess file with rewrite rules in a certain directory. Ideally I want to ignore all .htaccess files in sub-directories under that one, or alternatively add a rule to always use those rewrite rules and ignore rewrite rules in .htaccess files inside sub-directories.

    Here are the specifics:

    Our PHP application allows admin users to upload content which can contain any arbitrary files (including other PHP scripts or .htaccess files). If a zip file is uploaded as a piece of content, it is simply extracted into the directory for that content, so the zip file could have any number of directories and files inside it. We have some application options that admins can use to restrict access to all content directories to only logged-in users, and also to restrict uploaded PHP code from running. In order to accomplish that, we have a .htaccess file inside the root content directory (called resources) which redirects all requests to a PHP script outside of that directory:

    Code:
    Options FollowSymLinks
    RewriteEngine On
    RewriteRule .* ../auth_resource.php?__f=$0 [L,QSA]
    So that file goes into the resources directory, and whenever someone uploads a new piece of content then it will create a sub-directory inside resources and put the content files there. However, I just discovered that if the content contains a .htaccess file with rewrite rules, then our protection scheme gets completely bypassed, it no longer redirects requests to our authentication/authorization script so the protections offered by that auth_resource.php file no longer come into play.

    Ideally, I would like to be able to add additional rules to the .htaccess file inside the resources directory to simply tell Apache to ignore all .htaccess files inside any sub-directory, I don't want user-uploaded files to change Apache directives at all. If that isn't possible, then it would at least be better to have a directive that tells Apache to always use the rewrite rules inside the resources .htaccess file and ignore any other rules, so that at least we can make sure that our authorization script is never going to be bypassed when that feature in the application is enabled.

    Do I have any solution for this other than scanning all content directories to delete uploaded .htaccess files?

    Thanks
     
  2. outpostmm

    outpostmm Member

    Joined:
    Dec 3, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the reply.

    It doesn't look like the AllowOverride directive is going to work for this situation. It looks like I can only apply that directive in the main server config file, and I can't use regular expressions to specify the directories. So that wouldn't work if I want to set a rule to disallow .htaccess files in all subdirectories under /home/[user]/public_html/resources while allowing the .htaccess file in resources to keep working. For us that directory pattern would have to be public_html/resources/[0-9]*/.
     
  3. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    If you read here:
    core - Apache HTTP Server

    It says:
    You should be able to get it to work if you set AllowOverride in each virtualhost separately.
     
  4. outpostmm

    outpostmm Member

    Joined:
    Dec 3, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    If I can't use a regular expression in the directory specification, how can I set that option for all sub-directories under resources while still allowing it in resources?
     
  5. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    Right, guess it's not possible then...

    What if you disable .htaccess completely and then do that redirection in virtualhost(s)?
     
Loading...

Share This Page